[Dshield] Extreme increase in spam attempts... any one else seeing similar event?
Chris Mitchell
cmitchell at smtusa.com
Fri Aug 17 14:35:56 GMT 2007
We have seen this in the last 2 days, Tues/Wed I found the majority was
coming form Amsterdam, after blocking the IP ranges I could find for them,
everything seems to be back to normal. We are a small ISP, and were seeing
about 60,000 messages to invalid recipients an hour. Would love to know
what happened or is happening that would cause an increase like this.
Chris
-----Original Message-----
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org]
On Behalf Of Chris Phillips
Sent: Friday, August 17, 2007 10:26 AM
To: list at lists.dshield.org
Subject: [Dshield] Extreme increase in spam attempts... any one else seeing
similar event?
Hi
Since yesterday (16 Aug 6pm EDT) I am seeing a HUGE increase in spam
activity:
sed -n '/^Aug 16 18/,$p' /var/log/smtpd.log | egrep 'Not allowed' | wc -l
12110
sed -n '/^Aug 16 18/,$p' /var/log/smtpd.log | egrep 'Not allowed' |
egrep UNKNOWN | wc -l
480
(This is less than 24 hours ! )
vs
a previous 24 hour period...
sed -n '/^Aug 14 18/,/^Aug 15 18/p' /var/log/smtpd.log | egrep 'Not
allowed' | wc -l
115
sed -n '/^Aug 14 18/,/^Aug 15 18/p' /var/log/smtpd.log | egrep 'Not
allowed' | egrep 'UNKNOWN' | wc -l
38
The interesting factor is that the majority of this is coming from DNS
registered hosts:
480 out of 12110 = 4% not registered
as opposed to 38 out of 115 = 38% normally...
Any ideas about what might be happening?
(Also note that these almost totally don't have valid local
email addresses as the recipient, though the domain seems
to be correct mostly.
[This is from hand sampling so I don't have specific #'s])
C
_________________________________________
SANSFIRE 2007 July 25-August 2 in Washington, DC. 56 courses, SANS top
instructors, and a great tools and solutions expo. Register today!
http://www.sans.org/info/4651 (brochure code ISC)
More information about the list
mailing list